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ABSTRACT 



A mechanism for authenticating multiple connections to a 
network server is disclosed. A client establishes a first 
connection to the server. In establishing the first connection, 
the client provides authentication information and authori- 
zation information, and in response the server assigns first 
access privileges to the client. When the client requests a 
second connection, the server receives authentication infor- 
mation from the client, and assigns limited access privileges 
to the client. The server associates the first connection with 
the second connection and the client. The server automati- 
cally associates the first access privileges with the second 
connection, without requiring the client to provide authori- 
zation information for the second connection. 

22 Claims, 6 Drawing Sheets 
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VALIDATING CONNECTIONS TO A 
NETWORK SYSTEM 

FIELD OF THE INVENTION 5 

Hie present invention generally relates to management of 
computer networks, and relates specifically to validating 
connections to a network system. 

BACKGROUND OF THE INVENTION 10 

A network system generally includes a number of network 
devices, such as switches, routers, and others, connected so 
as to allow communication among the devices and end 
station devices such as desktop machines, servers, hosts, 15 
printers, fax machines, and others. Many companies have a 
desire to provide remote access to their computer networks. 
By allowing remote access, individuals can connect to the 
computer network to use it to work and obtain resource 
information while located at a remote site. 20 

A popular method of providing remote access to a net- 
work is through the use of a dial-in network access server 
(NAS) that controls access to the network. For example, the 
server model AS5300, commercially available from Cisco 
Systems Inc., can be used to provide dial-in access to a 25 
company's network. Individuals can access the network 
system by dialing into the network access server from a 
Remote Node to establish a connection. In this document, 
the term Remote Node refers to a client device such as a 
personal computer (PC) or router that can be used to dial in 30 
and establish a connection with a network access server. A 
client/server relationship exists between the Remote Node 
(client) and the network access server (server). 

A drawback associated with providing remote access to a ^ 
company's network system is that unauthorized individuals 
can sometimes gain access to the network system, thus 
potentially allowing the company's resources and informa- 
tion to be accessed, used or compromised. To prevent 
unauthorized network access, several protocols have been 
developed that can be used to identify remote nodes that are 
authorized to remotely connect and access the network 
system before a connection is actually established. 

In general, dial-in connections are typically made using 
one of the Internet's standard dial-in protocols, either the 45 
Point-to-Point Protocol (PPP) or the Serial Line Internet 
Protocol (SLIP). To prevent unauthorized network access, a 
"client authentication" phase is typically performed before a 
remote node is allowed to connect to a network access 
server. During the client authentication phase, the particular 50 
client that is requesting a dial-in connection be established 
is identified. 

The PPP supports an optional authentication phase by 
providing two authentication protocols, the Password 
Authentication Protocol (PAP) and the Challenge Hand- 55 
shake Authentication Protocol (CHAP). Both PAP and 
CHAP use a set of fixed passwords to authenticate a remote 
node that is requesting to make a dial-in connection with a 
network access server. To authenticate the remote node, both 
PAP and CHAP require the remote node to provide "client 60 
access" information that can be used to determine whether 
the remote node is allowed to remotely connect to the 
network access server. 

For example, if CHAP is used to establish the connection, 
a "challenge" message is sent by the network access server 65 
to the remote node. Upon receiving the challenge message, 
the remote node calculates a value based on the challenge 
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message using a "one-way" hash function. The remote node 
then returns the calculated value back to the network access 
server. Upon receiving the calculated value, the network 
access server compares the value to its own calculation of 
the expected hash value. If the values match, the remote 
node is identified and the network access server establishes 
a connection with the remote node. A benefit with using 
CHAP is that it protects against unauthorized attacks as the 
challenge message value is varied from one authentication 
phase to the next. 

Alternatively, using PAP a user is required to supply client 
access information in the form of a username and password 
that is used by the network access server to identify the 
remote node. If the user is using a "hands on" remote device 
having a display and input device, such as a PC, the network 
access server may cause a login window to be displayed on 
the monitor of the PC. The user is then required to enter a 
valid username and password in order to establish a con- 
nection between the network access server and the remote 
node. Based on the supplied username and password, the 
network access server can identify the remote node to 
determine whether a connection should be established 
between the network access server and the remote node. 

Following the client authentication phase, a "client autho- 
rization" phase is performed to determine the functions and 
operations that may be performed by the remote node during 
the lifetime of the connection. The client authorization phase 
is performed by the NAS on behalf of the remote node. To 
perform the client authorization phase, the NAS determines 
a set of access privileges based on the identity of the remote 
node. These access privileges are then assigned to the 
established connection and control the set of functions and 
operations that may be performed by the remote node. 

One drawback with using dial-in protocols such as PPP or 
SLIP to establish a dial-in connection is that all connections 
that are established between a particular remote node and a 
network access server are provided with the same set of 
access privileges. For example, when user A connects to a 
first network access server using remote node X, they are 
provided the same set of access privileges that are provided 
to user B when they connect to the first network access 
server using remote node X. Thus, access privileges cannot 
be provided on a per user basis. 

Another drawback with using dial-in protocols such as 
PPP or SLIP to establish a dial-in connection is that they 
require fixed passwords and therefore can not take advan- 
tage of the extra security that is provided through the use of 
a Smart card or Token card. One type of Token card, the 
SecurlD card commercially available from Security 
Dynamics, Inc., continually generates a series of random 
one-time passwords that can be used once to login into a 
network access server. The Token card works in conjunction 
with a password server, such as Security Dynamics' ACE 
password server and generates a response that is unique for 
every login. The result is a one-time password that, if 
monitored, cannot be reused by an intruder to gain access to 
an account. To use the Token card, the user typically enters 
a series of digits and letters displayed on the token-card in 
the prompt window or inserts the card into a reader that is 
coupled to the Remote Node. The password server internally 
generates one-time passwords in synch with the card. The 
one-time password is then used to verify that the user is 
allowed to log into the network access server through the 
remote device to access the network system by comparing 
the card password to the password server's password at a 
particular instant in time. 

In certain cases, Token cards can provide a greater level 
of security, as the password is only valid for a single session. 
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For example, sometimes a user selects the "save password" Yet another feature is that the step of receiving the request 

button on the client so that the user does not have to enter to establish the connection comprises the step of receiving a 

the client access information every time they dial in to the dial-in request at the server from the client. Still another 

network access server. However, if the individual's client feature is that the step of performing client authentication 

computer is stolen, an unauthorized user may potentially 5 phase comprises the steps of receiving client access infor- 

dial in and connect to the network access server, thus mation that is associated with the client; and determining 

compromising the information and resources that are acces- whether the user is allowed to access the server based on the 

sible through the network access server. Conversely, if a clicnt acccss information that is received. 

Token card could be used to provide the client access According to another feature, the step of performing client 

information, even if an individual's computer is stolen, an 10 authorization comprises the step of identifying a set of 

unauthorized user will not be able to log into the network mimm al access rights, wherein the set of minimal access 

access server and gain access to the network system without ^hts f^rely restricts functions that can be performed 

also obtaining the Token card. mr011 S b ^ n ?™5 ^S^g » ' f mmimal 

T , . , ^ , . access rights to the connection. In still another feature, the 

In addition, many home office users have begun using step 0 f performing client authentication comprises the steps 

access router devices, such as router models 1004 and 1604, 15 of authenticating the client using the Challenge Handshake 

commercially available from Cisco Systems Inc., to Authentication Protocol (CHAP). A related feature is that 

remotely connect to a company's network access server. the step of performing client authentication phase comprises 

Access routers are "hands-off" devices that have no display the step of authenticating the client using the Password 

device and therefore cannot display a login window for the Authentication Protocol (PAP). Another related feature is 

user to enter user access information. Instead, the user is 20 that the step of performing client authentication comprises 

required to provide the user access information through an the step of establishing a first connection between the client 

alternative means such as a Token card. Passwords arc and the network access server when the client is allowed to 

statically configured or stored in the router. connect to the server. 

Based on the foregoing, there is a clear need for a StiU softer feature is that the step of receiving user 

mechanism that provides users with an individual set of 25 access information comprises the step of receiving user 

access privileges for controlling their access to a network access information that is supplied from a Token card. A 

system. related feature is that the step of receiving user access 

« . , < . r i > t . information comprises the steps of display in c a login win- 

Inere is also a clear need for a mechanism that does not j„„ r M «r # a • ■ • r ** 

. A . . , „ dow on the client; and receiving user access information in 

compromise the security or the network system, yet allows ^ i 0 g m window 

additional connections to be established for a particular user 30 According to mothcT fcaturc> the st of cstab ii s hing the 

without requiring the user to enter additional access infor- first connection comprises the step of establishing a first 

matlon * Point-to-Point (PPP) connection between the client and the 

There is also a need for a mechanism that provides for the network access server. A related feature is that the step of 

use of Token cards with hands-off devices, such as routers 3S establishing the first connection comprises the step of estab- 

and other devices. lishing a first Serial Line Internet Protocol (SLIP) connec- 

There is also a clear need for a mechanism that can uon between the client and the network access server, 

provide an enhanced password security system that can In yet another feature, the method further involves the 

reduce unauthorized access of a company's network. steps of receiving a second request to establish a second 

There is an additional need for a mechanism having these 40 connection between the client and the server; performing a 

characteristics and also providing two levels of security. second client authentication by determining whether the 

client is allowed to connect to the server; determining 

SUMMARY OF THE INVENTION whether a first connection is active between the client and 

The foregoing needs, and other needs and objects that will the server; and assigning the set of user access privileges to 
become apparent from the following description, are 45 me second connection, wherein the set of user access 
achieved in the present invention, which comprises, in one privileges are assigned to the second connection without 
aspect, a method for establishing connections between a performing the second client authentication. A related fea- 
client and a server, the method comprising the steps of & mat me ste P of performing the second client authen- 
receiving a request to establish a connection between the tication comprises the step of establishing the second con- 
client and the server; performing client authentication by 50 section between the client and the network access server 
determining whether the client is allowed to connect to the wnen the client is allowed to connect to the server, 
server; performing client authorization by assigning a set of In another related feature, the step of establishing the 
client access privileges to the connection; performing user second connection comprises the step of establishing a 
authentication by determining whether the user is allowed to second Point-to-Point (PPP) connection between the client 
access the server; and performing user authorization by 55 and the network access server. In still another related 
assigning a set of user access privileges to the connection. feature, the step of establishing the second connection 

One feature of this aspect is that the step of performing comprises the step of establishing a second Serial Line 

user authentication comprises the steps of receiving user Internet Protocol (SLIP) connection between the client and 

access information, wherein the user access information is the network access server. 

associated with a particular user; and determining whether 60 According to yet a further feature, the step of establishing 

the user is allowed to access the server based on the user the second connection comprises the steps of generating a 

access information that is received. Another feature is that bundle header at the network access server; attaching the 

the step of performing user authorization comprises the step first connection and the second connection to the bundle 

of determining the set of user access privileges based on the header. 

user access information; and replacing the set of client 65 The invention also encompasses a computer-readable 

access privileges assigned to the connection with the set of medium, a computer data signal embodied in a carrier wave, 

user access privileges. and an apparatus configured to carry out the foregoing steps. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention is illustrated by way of example, 
and not by way of limitation, in the figures of the accom- 
panying drawings and in which like reference numerals refer 
to similar elements aod in which: 

FIG. 1 is a block diagram of a computer system archi- 
tecture in which the present invention may be utilized; 

FIG. 2 is a block diagram of the system of FIG. 1 showing 
certain internal details; 10 

FIG. 3A is a flow diagram that illustrates steps involved 
in a method of validating a plurality of connections to a 
network access server; 

FIG. 3B is a flow diagram that illustrates further steps in 
the method of FIG. 3A; 15 

FIG. 4 illustrates is a block diagram of an alternative 
system in which an embodiment of the invention may be 
utilized; and 

FIG. 5 is a block diagram of a computer system hardware 2 o 
arrangement that can be used to implement aspects of the 
invention. 

DETAILED DESCRIPTION OF THE 

PREFERRED EMBODIMENT ^ 

A method and apparatus for validating access to a network 
system is disclosed. In the following description, for the 
purposes of explanation, numerous specific details aie set 
forth in order to provide a thorough understanding of the 
present invention. It will be apparent, however, to one 30 
skilled in the art that the present invention may be practiced 
without these specific details. In other instances, well-known 
structures and devices are shown in block diagram form in 
order to avoid unnecessarily obscuring the present inven- 
tion. 35 

Operational Context 

In one embodiment, a client, acting as a "peer," sends a 
message to a server, acting as an " authenticate r", requesting ^ 
that a connection be established. Upon receiving the request 
from the client, the server communicates with the client to 
configure and establish a connection between the client and 
the server. In certain embodiments, a point-to-point connec- 
tion is established between the client and the server. Ae 

45 

To establish the connection, a client authentication phase 
is performed by the server to determine whether the client is 
allowed to maintain a connection with the server. If the 
client is allowed to maintain a connection with the server 
("Authenticated"), the server performs a client authorization 50 
phase to identify a set of client access privileges ("client 
privileges") based on certain attributes of the client. The 
client privileges provide a limited set of access rights to the 
user that is attempting to access the network system over the 
connection that was established between the client and the ss 
server. 

Once the connection between the client and the server is 
Authenticated and Authorized, a user authentication phase is 
initiated to determine whether the particular user is allowed 
to access the server. During the user authentication phase, 60 
the user is required to supply "user" access information. The 
user access information is used to determine whether the 
user is allowed to access the server. The server then performs 
a user authorization phase, which determines a set of user 
access privileges ("user privileges") based on the supplied 65 
user access information. The user privileges are then 
assigned to the connection and are used to determine which 
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network devices and network resources are accessible by the 
particular user. Thus, the user privileges take precedence 
over, and therefore override the client privileges. In this 
context, the act of overriding the client privileges is referred 
to as "the connection inheriting the user privileges". 

In certain embodiments, when a client requests a server to 
establish a session, the server determines whether a connec- 
tion already exists between the client and the server. If the 
server determines that a connection already exists, an addi- 
tional connection is established by performing only the 
client authentication phase to authenticate the client. Thus, 
instead of performing the client authorization phase to 
determine the client privileges, the user privileges that were 
previously assigned to the prior connection are automati- 
cally inherited by the additional connection. Thus, only the 
client authentication phase is repeated to establish additional 
connections between the client and the network access 
server. 

FIG. 1 is a block diagram of a system 100 in which the 
invention can be used. Generally, the system 100 includes a 
client 102, a network access server 104, and a network 108. 
Client 102 and network access server 104 are respectfully 
located in logically distinct regions 101 and 103, which may 
be geographically separate. 

The client 102 is a device, such as a PC or router, that is 
capable of dialing into the network access server 104 to 
establish a connection 116. In one embodiment, client 102 is 
itself a network access server that used to establish one or 
more connections to the network access server 104. Client 
102 is used by or associated with a user 106. Although one 
client 102 is shown in FIG. 1 by way of example, any 
number of clients can be included in the system 100, and 
multiple connections 116 can be used to connect the clients 
to the network access server 104. 

The network 108 is a network system comprising any 
number of network devices 114a, 1146, 114c interconnected 
by one or more communications channels 109. Ethernet, 
Token Ring, or other protocols can characterize the com- 
munications channels 109. Communication channels 109 
may form part of a LAN or WAN. 

The network access server 104 is a computer, or a group 
of hardware or software components or processes that 
cooperate or execute in one or more computer systems. The 
network access server 104 is coupled to the network 108 and 
controls remote access to the network 108 and the network 
devices 1l4a-c. 

In certain embodiments, a firewall (not shown), such as 
the Cisco PIX Firewall, which is commercially available 
from Cisco Systems, Inc. may be logically interposed 
between the network access server 104 and network 108. 
The firewall may be used to control access and log-in access 
attempts to network 108 based on identification information 
that is associated with the outside communication, by inter- 
cepting all communications moving to and from the network 
access server 104 and determining whether to admit or block 
the communications. The firewall can be used to prevent 
unauthorized clients from connecting to network 108 and 
other devices that are logically behind the firewall. 

The network access server 104 has a daemon 112 that can 
respond to a dial-in request from the client 102 to establish 
a connection 116 between the server 102 and the client 104. 
As used in this document, "daemon" generally means a 
program that services network requests for client authenti- 
cation and authorization, verifies identities, grants or denies 
authorizations, and logs accounting records. 

In certain embodiments, daemon 112 runs on a computer 
that is separate from network access server 104 and com- 
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municates with the network access server 104 over an personal computer 102. During the client authorization, a set 

internal network. For example, the daemon 112 can be a of client access privileges is associated with the first con- 

tacacs+ server or a Radius server that functions as a separate nection 204. 

entity from the network access server 104. Once the clieat authentication and client authorization 

In a preferred embodiment, the connection 116 is estab- 5 phases complete, a "user authentication" phase is performed 

lished as a Point to Point Protocol (PPP) connection. . to verify that the particular user is allowed to access the 

However, PPP is merely an example of a communications network system. 

protocol that can be used in an embodiment. Other During the user authentication phase user A is required to 

protocols, such as the Serial Line Internet Protocol (SLIP), provide "user access" information, typically in the form of 

that facilitate the exchange of information between a client 1° a username and password. The user access information is 

and server can be used. PPP is described in "Understanding used by authorization application 124 to verify that the user 

PPP and PPP Authentication," accessible at http://www- A is allowed to access the network system 108 using the 

fr.cisco.com/warp/public/779/smbiz/service/knowledge/ network access server 104. If the user A is using a "hands 

wan/ppp_auth.htm. PPP is defined in W. Simpson, "The on" remote device having a display and input device, such 

Point-to-Point Protocol," RFC 1548, December 1993. PPP is ^ a pc 201, the network access server 104 may cause a 

MP is described in K. Sklower et al., "The PPP Multilink login window to be displayed on the monitor of the PC 201. 

Protocol (MP)," RFC 1990, August 1996. The user A is then required to enter a valid username and 

The server 104 also runs application programs, such as an password in order to log into the network access server to 

Authorization application 124. The Authentication applica- gain access to the network system. 

tion 114 is a back-end, server-side mechanism that is used to 20 After the user authentication phase completes, a "user 

determine whether a particular user is authorized to access authorization" phase is performed, this time on behalf of the 

the network 108 through network access server 104. user A, to determine the new access rights for the first 

FIG. 2 is a block diagram of the system of FIG. 1 showing connection 204. These new access rights override the access 

certain internal details. In this example, the client is a ^ rights that were previously established during the client 

personal computer 201 having a plurality of modems that authorization phase. 

can be used by user "A" 106 to establish a plurality of dial-in In one embodiment, to begin the client authentication 

connections. The network access server 104 has a daemon phase, the user A telnets to the network access server .104 

112 that can respond to requests from the client 102 to using the first connection 204, The user A then provides a 

establish one or more connections 204 and 206 between the 3Q valid username and password to establish the telnet connec- 

network access server 104 and the^client 102, In certain tion. The valid username and password may be provided to 

embodiments, personal computer 201 is configured with or the network access server 104 using a variety of techniques. 

coupled to, multiple modems or ISDN bearer channels that For example, a static user name password that is associated 

can be used to establish the one or more connections 204 and with the particular user may be used to establish the telnet 

206. In one embodiment, the personal computer 201 runs a 3S connection. Alternatively, user access information that is 

browser application program, such as Netscape Navigator® obtained through the use of a Smart card or Token card may 

or Microsoft Internet Explorer®. User 106 can use browser be provided to the network access server 104. 

208 to cause a connection to be established with network Once the telnet connection is established, the authoriza- 

access server 104. Personal computer 201 may also run a tion application 124 runs an access profile command that 

dial-up networking application program or other software ^ cai ises the first connection 204 to inherit the set of user 

components cause a dial-in connection to be established. access privileges. Thus, the set of client access privileges 

c . , r , . t *** i tnat were initially associated with the first connection 204 

Establishing an Initial Connection „ i a *#u *u * e • i t,. 

& are replaced with the new set of user access privileges. This 

Upon receiving a dial-in request from client 102, the provides for a different set of user access privileges to be 

daemon 112 performs a client authentication phase, to 45 established for each user who establishes a connection with 

authenticate client 102 as being allowed to connect with network access server 104. 

network access server 104. In the preferred embodiment, the 

authentication phase involves the exchange by client 102 Establishing Addition Connections 

and network access server 104 of one or more messages A drawback with using dial- in protocols such as PPP or 

having a form and content defined by CHAP. CHAP is 50 SLIP is that additional connections that are made by a client 

described in W. Simpson, "PPP Challenge Handshake that is currently connected to the network access server are 

Authentication Protocol," RFC 1994, August. 1996. In one treated as separate connections during the client authentica- 

embodiment, connections 204 and 206 are established as tion and authorization phases. Thus, to establish a second 

PPP Multilink Protocol (MP) connections that are attached connection between the remote node and the network access 

at a bundle header 202 in network access server 104. 55 server, the user is required to reenter valid user access 

However, PPP MP is merely an example of a communica- information a second time. 

tions protocol that can be used for connections 204 and 206. For example, consider the situation of a small office or 

Thus, other communication protocols that provide the nec- home office user who uses a client that communicates with 

essary communication interface can be used. a network using an integrated services digital network 

To establish a first connection 204 between the client 102 60 (ISDN) line having first and second bearer (data) channels, 

and the network access server 104, the daemon 112 performs Normally the client connects to a network, ISP, or server 

a client authorization phase to determine whether personal using only the first data channel and using the access 

computer 102 is allowed to connect to the network access procedure described above. If an additional connection is 

server 104. If the client 102 is identified as being allowed to made, for example, by activating the second ISDN channel 

connect to the network access server 102, the first connec- 65 to accommodate a large data transfer, the user is required to 

tion 204 is established and a subsequent client authorization enter valid client access information to establish the second 

phase is performed to establish the client privileges for connection. Requiring client access information to be 
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entered whenever an additional connection is made can be 
both irritating and burdensome on the user. In addition, if the 
user is using a Token card with a "one-time" password, the 
user must again use the Token card to provide another valid 
one-time password for the additional connection. PPP users 5 
having multiple connections (for example, PPP Multilink 
connections) experience the same inconvenience. 

One method of allowing users to establish multiple con- 
nections using a Token card is through a mechanism known 
as "Token caching". To perform Token caching, the network jo 
access server saves the one-time password in memory for a 
certain period of time. Whenever a new connection is 
established, the network access server uses the stored "one- 
time" password again as the client access information to 
authorize the connection. Although Token caching can allow 15 
additional connections to be established by users using a 
Token card, the use of Token caching compromises the 
security of the network system, because additional connec- 
tions are established using the same one-time password. 
Because the same on-time password can be used to establish 20 
additional connections, the network system is open for 
attacks by unauthorized users, For example, by allowing the 
one-time password to be used multiple times for establishing 
additional connections, if the one-time password is "sniffed" 
by an unauthorized user while it is still saved in memory, it 25 
can be used by to connect to the network access server and 
thereby gain unauthorized access to the network system. 

Therefore, to establish additional connections, such as 
additional connection 206, neither the client authorization 
phase, the user authentication phase nor the user authoriza- 30 
tion phase is performed. Instead, the authorization applica- 
tion 124 identifies connection 206 as being from a client, 
namely personal computer 201, that already has an active 
first connection 204, and therefore automatically assigns to 
the additional connection 206 the same privileges that were 35 
assigned for connection 204. Thus, to establish additional 
connection 206, the user "A" 106 is not required to enter 
valid user access information a second time. 

Although one client 102 is shown in FIG. 2 by way of 
example, any number of clients can be included in the 40 
system 200, and multiple connections 204 and 206 can be 
used to connect the clients to the network access server 104. 

Establishing Connections 

FIG. 3 A and FIG. 3B are flow diagrams that illustrate a 45 
method of validating one or more connections in the fore- 
going context. The steps of FIG. 3A and FIG. 3B will be 
explained with reference to the components of FIG. 2. For 
explanation purposes, connection 204 is the first or initial 
connection made and connection 206 is the second or 50 
additional connection made. Of course, the converse is also 
appropriate. 

At block 302, a network access server receives a request 
to establish a connection with a client. The request may be 
received as the result of a user operating a client to dial into 55 
a network * access server to request a connection to be 
established. For example, in one embodiment, user 106 
executes browser 208 on client 102 to dial into network 
access server 104 to request a PPP Multilink connection. 
. As shown by block 304, upon receiving the dial-in 60 
request, the network access server performs a client authen- 
tication phase. As part of the client authentication phase, the 
network access server uses client access information to 
determine whether the client is allowed to establish a 
connection with the network access server. In one 65 
embodiment, the client authentication phase is performed 
using CHAP. 
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For example, upon receiving a dial-in request from the 
client 102 as peer, the daemon 112 in network access server 
104 as authenticator sends a "challenge" message to the 
client 102, The client 102 then responds to the challenge 
with a value that is calculated using a one-way hash func- 
tion. Daemon 112 computes an expected hash value. Upon 
receiving the value from the client 102, the daemon 112 
compares the value against the expected hash value to 
determine whether the connection should be established. 

CHAP is used only as an example of an authentication 
protocol that can be used in performing the authentication 
phase. Other alternative embodiments may include perform- 
ing the authentication phase using an authentication protocol 
such as PAP. 

If the test of block 304 determines that the client is not 
authorized to establish a connection with the network access 
server, then as shown by block 306, the connection is 
refused or terminated. 

However, if the test of block 304 determines that the client 
is allowed to establish a link with the network access server, 
then as shown by block 308, the network access server 
determines whether a connection is currently active between 
the client and the network access server. For example, for 
MP connections, an active connection is identified by an 
"endpoint-discriminator". In one embodiment, the endpoint- 
discriminator is the name of the remote node. An additional 
connection that is made by the same client will contain the 
same endpoint-discriminator and therefore can be used to 
determine whether a connection is currently active between 
the network access server and the client. The use of 
endpomt-discriminators for determining existing connection 
is discussed in the Multilink Protocol RFC cited above, RFC 
1990. 

If at block 308 it is determined that a connection is 
currently active between the client and the network access 
server, then as shown in block 310, the network access 
server automatically establishes the additional connection 
without requiring additional authentication and authoriza- 
tion phases to be performed. Instead, the additional connec- 
tion inherits the set of user access privileges that were 
assigned to the previous connection. Thus, the user is not 
required to reenter valid user access information to establish 
the additional connection. In an exemplary embodiment, 
additional connections are established as MP connections 
and are attached to a data structure called a bundle header 
that causes the multiple connections to appear as a single 
connection, but having benefit of a throughput rate from 
multiple connections. 

Alternatively, if the test of block 308 determines that an 
active connection does not exist between the client and the 
network access server, then as shown by block 312, a client 
authorization phase is performed to assign a set client 
privileges to the connection. In one embodiment, the set of 
client access privileges enable the user to telnet into the 
network access server, but restricts other protocols or inter- 
faces. For example, in establishing the connection 204, the 
daemon assigns a limited set of privileges to the connection 
204, which severely restrict what functions can be per- 
formed through the connection. Generally, it is preferable to 
configure the client privileges so as to provide minimal 
network access. For example, the use of all protocols, 
including Internet Protocol (IP), except when used to con- 
nect to the network access server, should be prohibited via 
appropriate access lists on the network access server. 

Referring now to FIG. 3B, as shown by block 314 the user 
interacts with the client in order to communicate with the 
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network access server over the established connection. In Additional PPP muLtilink channels established for the user 

one embodiment, the user uses the client to telnet to an continue to use the static CHAP password configured in the 

authorization application. For example, to establish connec- router, but are then attached to the bundle header 202 and 

tion 204, client 102 telnets to the authorization application thereby become part of the multilink bundle. Since the 

124 over connection 204. 5 bundle has been authenticated, the additional channels logi- 

As shown by block 316, a user authentication phase is ca ii y or conceptually inherit the security characteristics of 

performed to determine whether the user is authorized to th e fi re t connection 

connect to the network access server. To perform the user , t wiu be m ^ , he authorizali aulhentication) 

authentication phase, the user is required to provide user , /a * *\ *• c lL 1 , 

access information that is used by the authorisation appli- in accounting (AAA) portion of the network operating 

cation to determine if the user should be allowed to connect 10 ^ us f 00 the network ^yices of network 108 must be 

to the network access server. In one embodiment, the user configured to carry out network authentication and authon- 

access information is provided through the use of a Token zatlon * In lhe Purred embodiment, the network devices of 

card. For example, after telnetting to the authorization network 108 ^ ^ Cisco Internetworking Operating 

application 124, the user 106 enters a one -time-password S y stem C 0S )> and lts K configured for network 

(token) displayed on the Token card in a login window that 15 authentication ™* authorization using the commands 

is displayed on the client 102 by the authorization applica- aaa new-model 

tion 124. In an alternative embodiment, the user inserts the aaa authentication ppp default radius 

token card in token card reader that is connected to client a aa authorization network radius 

102. The client 102 then automatically reads and sends a and then the access-profile command is executed. In another 

one-time-password contained on the token card to the autho- embodiment, the command "aaa authorization network 

rization application 124. In yet another embodiment, the radius" is replace with the command "aaa authorization 

user 106 enters static user access information (for example, network tacacs+". 

a pre-assigned username and password), in response to a In one embodiment, the access-profile command has 

login window displayed on the client 102. optional parameters "merge" and "replace". Executing the 

As shown by block 318, upon receiving the user access command "access-profile merge" causes the IOS to remove 

information, the authorization application determines old access lists, per user and per interface, from the 

whether the user is authorized to connect to the network interface, and install a completely new profile. Executing the 

access server. command "access-profile replace" removes all per-user con- 

If the test of block 318 determines that the user is not 30 figurations for the current interface, and installs a completely 

authorized to connect to the network access server, then as new profile. 

shown by block 320, the authorization application notifies In the preferred embodiment, the operating system 

the daemon and the connection between the client and the executed by the network devices in network 108 has a 

network access server is terminated. software unit providing downloadable per-user attribute 

Conversely, if at block 318 the authorization application 35 extensions. An example of an operating system having such 

determines that the user is authorized to connect to the extensions is IOS Release 11.3(1) commercially available 

network access server, then as shown by block 322, a set of & om Cisco Systems, Inc. 

user access privileges are determined based on the user In certain embodiments, the authentication phase is peri- 
access information that was supplied during the user authen- odically performed on connections that have been estab- 
tication phase. An initial connection is then established 40 nshed between a client and the network access server, 
between the client and the network access server having the _ . r fi 
user access privileges. In an exemplary embodiment, the er 0 ^ ura ons 
initial connection is established as a MP connection. In addition to the embodiment depicted in FIG. 2, alter- 
In certain embodiments, to establish the initial connection native configurations may be used for authenticating a 
with the correct privileges, the network access server simu- 45 plurality of connections as described in the foregoing con- 
lates the termination of the connection and the restarting of te xt FIG. 4 is a block diagram of an exemplary alternative 
a new connection. When the new connection is restarted, the configuration. Client 102 is a router 401, such as a Cisco 
restarted connection is assigned access privileges based on router model 1004 or 1604, coupled to the network access 
the user access information that was retrieved from the server 104. In another embodiment, client 102 is itself a 
daemon on behalf of the user (user privileges). For example, 50 network access server, such as Cisco server model AS5300, 
to establish connection 204, the network access server 104 coupled to network access server 104. Client 102 is coupled 
first terminates and then restarts connection 204 with access to a personal computer 408. By interacting with the personal 
privileges based on the user privileges that were received computer 408 through browser 410, a user 106 can authen- 
from the daemon by the authorization application 124. ticate a plurality of connections 402, 404 and 406 in the 

In the preferred embodiment, the user's network autho- 55 manner described above in FIG. 3A and FIG. 3B. 

rization profile is configured to include an autocommand For example, at block 302, the user operates a personal 

that runs an "access-profile" command. The access-profile computer to cause the client to dial into a network access 

command carries out the steps of block 322. The access- server to request a connection to be established. For 

profile command removes the restrictions imposed during example, in one embodiment, user 106 executes browser 

the initial PPP authorization, and installs new or different 60 410 on personal computer 408 to cause router 401 to dial 

privileges that are associated with the user. The access- into network access server 104 to request a PPP Multilink 

profile command causes all PPP network control protocols to connection. 

be re-authorized with the user's username instead of the Similarly, if the test of block 308 determines that a 

CHAP username of the router or dial-in client. As a result, connection is not currently active between the network 

the user's privileges are used instead of the router's network 65 access server and the client, then at block 314 the user 

profile (client privileges). This allows two different profiles interacts with the personal computer to cause the client to 

to be used at two different times in the negotiation process. communicate with the network access server over the estab- 
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lished connection. In one embodiment, the user uses the to one embodiment of the invention, the validating of 

personal computer to interface with the client to telnet to an connections to a network system is provided by computer 

authorization application on the network access server. For system 500 in response to processor 504 executing one or 

example, to establish connection 402, the user 106 operates more sequences of one or more instructions contained in 

personal computer 408 to telnet to the authorization appli- 5 main memory 506. Such instructions may be read into main 

cation 124 over connection 402 through client 102. memory 506 from another computer-readable medium, such 

Likewise, at block 316, the authorization application as storage device 510. Execution of the sequences of instruc- 
receives user access information from the user. In one dons contained in main memory 506 causes processor 504 
embodiment, the user access information is provided to the to perform the process steps described herein. One or more 
authorization application through the use of a Token card. 10 processors in a multi-processing arrangement may also be 
For example, after telnetting to the authorization application employed to execute the sequences of instructions contained 
124, the user 106 enters a one-time password from a Token m main memor y 506 - In alternative embodiments, hard- 
card. The information on the Token card is read by the client circuitr y ma Y °e U! * d ^ P^ce of or in combination 
102 and then sent from the client 102 to the authorization software instructions to implement the invention. Thus, 
application 124 over connection 402. In an alternative n , embodiments of the ^invention are not limited to any specific 

'u t *u * r *• j u *l combination of hardware circuitry and software, 

embodiment, the user access information is eotered by the „ , , 

user 106 in response to a login window that is displayed on J** term «™puter-readable medium as used herem 

the personal computer 408 by the authorization application f etS , t0 my medl ™ "f P^P*" P«^*"8 "*tmc- 

. i ... tions to processor 504 for execution. Such a medium may 

124. Once the user access mformation is entered by the user ^ f indudin ^ ^ limked n0Q . volat ^ 

106, it is sent to the client 102 and then forwarded from the M media> volatile media, and tosmission media. Non-volatile 

chentl02 to the authonzation application 124 over connec- media mcludes> for example, optical or magnetic disks, such 

tion 402. ^ S ( 0rage device 510. Volatile media includes dynamic 

In still another configuration, in the system 200 or system memory, such as main memory 506. Transmission media 

400, a single software component executes on network includes coaxial cables, copper wire and fiber optics, includ- 

access server 104. The single software component com- 25 ing the wires that comprise bus 502. IVansmission media can 

prises the functions of the daemon 112 and authentication also take the form of acoustic or light waves, such as those 

application 124 in integrated form. generated during radio wave and infrared data communica- 

In another configuration, in system 200 or system 400, the ^ons. 

network connection functions carried out by browser 208 or Common forms of computer-readable media include, for 

browser 410 are handled by a telecommunications program 30 example, a floppy disk, a flexible disk, hard disk, magnetic 

rather than a browser. tape, or any other magnetic medium, a CD-ROM, any other 

„ , _ optical medium, punch cards, paper tape, any other physical 

Hardware Overview medium with patterns of holes, a RAM, a PROM, and 

FIG. 5 is a block diagram that illustrates a computer EPROM, a FLASH-EPROM, any other memory chip or 

system 500 upon which an embodiment of the invention 35 cartridge, a carrier wave as described hereinafter, or any 

may be implemented. The preferred embodiment is imple- other medium from which a computer can read, 

mented using one or more computer programs running on a Various forms of computer readable media may be 

router device. Thus, in this embodiment, the computer involved in carrying one or more sequences of one or more 

system 500 is a router. instructions to processor 504 for execution. For example, the 

Computer system 500 includes a bus 502 or other com- 40 instructions may initially be carried on a magnetic disk of a 
munication mechanism for communicating information, and remote computer. The remote computer can load the instruc- 
a processor 504 coupled with bus 502 for processing infor- tions into its dynamic memory and send the instructions over 
mation. Computer system 500 also includes a main memory a telephone line using a modem. A modem local to computer 
506, such as a random access memory (RAM), flash system 500 can receive the data on the telephone line and 
memory, or other dynamic storage device, coupled to bus 45 use an infrared transmitter to convert the data to an infrared 
502 for storing information and instructions to be executed signal. An infrared detector coupled to bus 502 can receive 
by processor 504. Main memory 506 also may be used for the data carried in the infrared signal and place the data on 
storing temporary variables or other intermediate informa- bus 502. Bus 502 carries the data to main memory 506, from 
tion during execution of instructions to be executed by which processor 504 retrieves and executes the instructions, 
processor 504. Computer system 500 further includes a read 50 The instructions received by main memory 506 may option- 
only memory (ROM) 508 or other static storage device ally be stored on storage device 510 either before or after 
coupled to bus 502 for storing static information and instruc- execution by processor 504. 

tions for processor 504. A storage device 510, such as a Computer system 500 also includes a communication 

magnetic disk, flash memory or optical disk, is provided and interface 518 coupled to bus 502. Communication interface 

coupled to bus 502 for storing information and instructions. ss 518 provides a two-way data communication coupling to a 

An input interface 514 may be coupled to bus 502 for network link 520 that is connected to a local network 522. 
communicating information and command selections to For example, communication interface 518 may be an 
processor 504. Input interface 514 is a conventional serial integrated services digital network (ISDN) card or a modem 
interface such as an RS-232 or RS-422 interface. An external to provide a data communication connection to a corre- 
terminal or computer system connects to the router or eo sponding type of telephone fine. As another example, corn- 
computer system 500 and provides commands to it using the munication interface 518 may be a local area network 
input interface 514. Firmware or software running in the (LAN) card to provide a data communication connection to 
computer system 500 provides a terminal interface or a compatible LAN. Wireless links may also be implemented, 
character-based command interface so that external com- In any such implementation, communication interface 518 
mands can be given to the computer system. 65 sends and receives electrical, electromagnetic or optical 

The invention is related to the use of computer system 500 signals that carry digital data streams representing various 

for validating connections to a network system. According types of information. 
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Network link 520 typically provides data communicatioD receiving a request to establish a connection between the 

through one or more networks to other data devices. For client and the server; 

example, network link 520 may provide a connection performing client authentication by determining whether 

through local network 522 to a host computer 524 or to data ^ e clienl fc ^ ow&d to CO nnect to the server: 

equipment operated by an Internet Service Provider (ISP) s - . 4 iL . . , . . A - A 

526 ISP 526 in turn provides data communication services Performing cheat authorization by assigning a set of client 

through the world wide packet data communication network access P nvilc g cs to the connection; 

now commonly referred to as the "Internet" 528. Local performing user authentication by determining whether 

network 522 and Internet 528 both use electrical, electro- the user is allowed to access the server; and 

magnetic or optical signals that carry digital data streams. performing user authorization by assigning a set of user 

The signals through the various networks and the signals on access privileges to the connection. 

network link 520 and through communication interface 518, 2, The method as recited in claim 1, wherein the step of 

which carry the digital data to and from computer system performing user authentication comprises the steps of: 

f ° rmS ° f tranSP ° rting tbe receiving user access information, wherein the user access 

_ * A «j information is associated with a particular user; and 

Computer system 500 can send messages and receive , A . . , i( A . . „ 1 , 

j 4 • i j* j iL Lit. *- w\ * determining whether the user is allowed to access the 

data, including program code, through the networkfs). net- , , . - 

iri ma a cio t *l server based on the user access information that is 

work link 520 and communication interlace 518. In the . , 

received 

Internet example, a server 530 might transmit a requested * „ ' , . A . . . , „ t . At L . 

j c r s l t * eXo yon 3. The method as recited in claim 2. wherein the step of 

code tor an application program through Internet 528, ISP £ .. .. • ' , * 

526, local network 522 and communication interface 518. In 20 P erformin S *™ authonzation composes the steps of: 

accordance with the invention, one such downloaded appli- determining the set of user access privileges based on the 

cation provides for validating connections to a network uscr acccss ^formation; and 

system as described herein. replacing the set of client access privileges assigned to the 

The received code may be executed by processor 504 as connection with the set of user access privileges, 

it is received, and/or stored in storage device 510, or other 25 4 * ^ method as recited in claim 1, wherein the step of 

non-volatile storage for later execution. In this manner, receiving the request to establish the connection comprises 

computer system 500 may obtain application code in the ste P of receiving a dial-in request at the server from the 

form of a carrier wave. client. 

In this configuration, the systems and methods of embodi- m 5 ; ^ met , hod as r * cite<1 in claim wheic j n ste P of 

ments of the invention offer distinct advantages over past performing client authentication phase comprises the steps 
approaches. For example, authentication of a second channel 



occurs automatically; the user is not required to enter receiving client access information that is associated with 
authentication information or authorization information a tDe client; and 

second time at the keyboard of the client. Also, token cards 35 determining whether the user is allowed to access the 
can be used in conjunction with hands-off devices, such as server based on the client access information that is 

routers and other devices. Further, password security is received- 
improved. If a user saves a password and the password is 6. The method as recited in claim 5, wherein the step of 

compromised, the second authentication step of the inven- performing client authorization comprises the steps of: 
tion renders the password useless. identifying a set of minimal access rights, wherein the set 

Thus, in an exemplary embodiment, the initial link is of minimal access rights severely restricts functions 

established using CHAP. The user opens the link to traffic by that can be performed through the connection; and 

authenticating with a Token card, which is highly secure. assigning the set of minimal access rights to the connec- 
Additional links are added to the multilink bundle in a tion. 

manner that is transparent to the user. 4S 7. The method as recited in claim 1, wherein the step of 

The static CHAP password resides in the router and need performing client authentication comprises the steps of 

not be changed to accommodate one-time passwords. The authenticating the client using the Challenge Handshake 

user provides additional security by telnetting to the network Authentication Protocol (CHAP) . 

access server and providing the one-time password. 8. The method as recited in claim 1, wherein the step of 

Finally, even if the client computer or router is stolen, or so performing client authentication phase comprises the step of 

the user's password is otherwise compromised, security is authenticating the client using the Password Authentication 

enhanced because the one-time password from the token Protocol (PAP). 

card is initially required. 9. The method as recited in claim 1, wherein the step of 

The invention is not limited to the context shown in performing client authentication comprises the step of estab- 

drawing figures, and the spirit and scope of the invention 55 hshing a first connection between the client and the network 

include other contexts and applications in which the upgrade access server when the client is allowed to connect to the 

and diagnostic functions described herein are available to server. 

other mechanisms, methods, programs, and processes. For 10- The method as recited in claim 2, wherein the step of 

example, although personal computers have been used for receiving user access information comprises the step of 

illustrative purposes, other devices, such as workstations or 60 receiving user access information that is supplied from a 

Lap-top computers may be configured to perform the same Token card. 

functions. Thus, the specification and drawings are, U. The method as recited in claim 2, wherein the step of 

accordingly, to be regarded in an illustrative rather than a receiving user access information comprises tbe steps of: 
restrictive sense. displaying a login window on the client; and 

What is claimed is: 65 receiving user access information in the login window. 

1. A method for establishing connections between a client 12. The method as recited in claim 9, wherein the step of 

and a server, the method comprising the steps of: establishing the first connection comprises the step of estab- 
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lishing a first Point-to-Point (PPP) connection between the 
client and the network access server. 

13. The method recited in claim 9, wherein the step of 
establishing the first connection comprises the step of estab- 
lishing a first Serial Line Internet Protocol (SUP) connec- 5 
tion between the client and the network access server. 

14. The method recited in claim 1, further comprising the 
steps of: 

receiving a second request to establish a second connec- 
tion between the client and the server; 10 

performing a second client authentication by determining 
whether the client is allowed to connect to the server; 

determining whether a first connection is active between 
the client and the server; and 

assigning the set of user access privileges to the second 
connection, wherein the set of user access privileges are 
assigned to the second connection without performing 
a second user authentication. 

15. The method as recited in claim 14, wherein the step of 20 
performing the second client authentication comprises the 
step of establishing the second connection between the client 
and the network access server when the client is allowed to 
connect to the server. 

16. The method recited in claim 15, wherein the step of 25 
establishing the second connection comprises the step of 
establishing a second Point-to-Point (PPP) connection 
between the client and the network access server. 

17. The method recited in claim 15, wherein the step of 
establishing the second connection comprises the step of 39 
establishing a second Serial Line Internet Protocol (SLIP) 
connection between the client and the network access server. 

18. The method recited in claim 15, wherein the step of 
establishing the second connection comprises the steps of: 

generating a bundle header at the network access server; 35 
attaching the first connection and the second connection 
to the bundle header. 

19. A method for establishing multiple connections 
between a client and a server, the method comprising the 
steps of: 40 

receiving a request to establish a first connection between 

the client and the server; 
performing a first client authentication phase, wherein the 

first client authentication phase determines whether the 45 

client is allowed to connect to the server; 
performing a client authorization phase, wherein the cli- 
ent authorization phase assigns a set of client access 

privileges to the first connection; 
performing a user authentication phase, wherein the user 50 

authentication phase determines whether the user is 

allowed to access the server; 

performing a user authorization phase, wherein the user 
authorization phase assigns a set of user access privi- 
leges to the first connection; 55 

receiving a request to establish a second connection 
between the client and the server; 

performing a second client authentication phase, wherein 
the second client authentication phase determines 6Q 
whether the client is allowed to connect to the server; 
and 

assigning the set of user access privileges to the second 
connection. 
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20. A computer-readable medium carrying one or more 
sequences of instructions for authenticating connections to a 
network access server, wherein execution of the one or more 
sequences of instructions by one or more processors causes 
the one or more processors to perform the steps of: 

receiving a request to establish a connection between the 
client and the server; 

performing a client authentication phase, wherein the 
client authentication phase determines whether the cli- 
ent is allowed to connect to the server; 

performing a client authorization phase, wherein the cli- 
ent authorization phase assigns a set of client access 
privileges to the connection; 

performing a user authentication phase, wherein the user 
authentication phase determines whether the user is 
allowed to access the server; and 

performing a user authorization phase, wherein the user 
authorization phase assigns a set of user access privi- 
leges to the connection. 

21. A computer data signal embodied in a carrier wave, 
the computer data signal carrying one or more sequences of 
instructions for authenticating connections to a network 
access server, wherein execution of the one or more 
sequences of instructions by one or more processors causes 
the one or more processors to perform the steps of: 

receiving a request to establish a connection between the 
client and the server; 

performing a client authentication phase, wherein the 
client authentication phase determines whether the cli- 
ent is allowed to connect to the server; 

performing a client authorization phase, wherein the cli- 
ent authorization phase assigns a set of client access 
privileges to the connection; 

performing a user authentication phase, wherein the user 
authentication phase determines whether the user is 
allowed to access the server; and 

performing a user authorization phase, wherein the user 
authorization phase assigns a set of user access privi- 
leges to the connection. 

22. A computer apparatus comprising: 
a processor; and 

a memory coupled to the processor, the memory contain- 
ing one or more sequences of instructions for authen- 
ticating connections to a network access server, 
wherein execution of the one or more sequences of 
instructions by the processor causes the processor to 
perform the steps of: 

receiving a request to establish a connection between 

the client and the server; 
performing a client authentication phase, wherein the 

client authentication phase determines whether the 

client is allowed to connect to the server; 
performing a client authorization phase, wherein the 

client authorization phase assigns a set of client 

access privileges to the connection; 
performing a user authentication phase, wherein the 

user authentication phase determines whether the 

user is allowed to access the server; and 
performing a user authorization phase, wherein the user 

authorization phase assigns a set of user access 

privileges to the connection. 

***** 
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